CVE-2023-38505

Name of the Vulnerable Software and Affected Versions DietPi-Dashboard version 0.6.1

Description The DietPi-Dashboard has a limitation where it only allows one TLS handshake to be in process at a given moment. Once a TCP connection is established in HTTPS mode, it will wait indefinitely for a handshake to start or an error to occur. An attacker can exploit this by not starting the handshake, preventing other TLS handshakes from getting through and locking the dashboard in a waiting state. This prevents legitimate traffic from reaching the dashboard and can last indefinitely.

Recommendations For DietPi-Dashboard version 0.6.1, update to version 0.6.2 to resolve the issue. As a temporary workaround, do not use HTTPS mode on the open internet where anyone can connect. Instead, put a reverse proxy in front of the dashboard to handle any HTTPS connections.